Possible “Unintended Consequences” of the General Data Protection Regulation

The intentions of the European Union’s General Data Protection Regulation are as laudable as they are simple. According to Osterman Research Group Principal Analyst and Founder Michael Osterman, the goal of this standard “forces companies to get their data governance under control and allows consumers, or owners of data, to be in control of their data.”

What is less documented, however, is the potential for decidedly unintended consequences of GDPR that may produce noxious effects on even those organizations that have made concerted efforts to comply. The drivers for those effects, of course, are the costly penalties associated with non-compliance, which are either 2 to 4 percent of a company’s annual turnover or 10 to 20 million Euros—whichever is more.

When one considers these penalties are applicable to organizations that possess the data of even a single resident of the EU, the potential for unintended consequences becomes more distinct. Once organizations fully understand the extremely granular nature of the regulations involved in GDPR, the potential for the negative impact of unintended consequences becomes clear. The most obvious ones pertain to organizational targeting, diminishing e-commerce, and restricting freedom of the internet. Others may also arise.

Protecting Personally Identifiable Data
The general pretext for the costly penalties of GDPR is the prevention of the loss of data that are personally identifiable. To that end, some of the specific mandates of GDPR may surprise organizations not prepared for its May 25 enforcement date. Among other facets of this standard, organizations are responsible for:

Downstream Data Effects: According to Osterman, organizations with data of those who reside in the EU are considered “data controllers”. Thus, such companies are responsible for virtually anything they do with those data, including issuing them to third parties for marketing or communication purposes. “If I have a mailing list and I want to send out an email offer, I have to make sure not only that I’ve cleaned the data of any EU residents that haven’t opted in to receive my communications, but I have to make sure that anybody I give that to is going to process it in a way that’s GDPR compliant,” Osterman explained.

Data Disassociation: In certain cases, organizations are expected to disassociate a person’s identity from their data to preserve his or her anonymity. Although this requirement is horizontal, the healthcare field serves as a good example of what’s involved. “You can process their medical information to do statistics on, let’s say how many people have certain conditions, but you can’t associate that with a person,” Osterman said. “So you’re going to have to have those technologies in place.”

Data Movement: The movement of data highlights the need to secure data in motion, as opposed to when they’re sitting in a secure repository. Osterman mentioned organizations will “have to do application security testing, to make sure you don’t have vulnerabilities in your web browsers, Microsoft applications, Salesforce, and what have you.”

Most importantly, perhaps, organizations will have to conduct user awareness training to ensure that personnel are competent in the vast array of measures required for compliance. These concerns and others are addressed in a recent report entitled The Procrastinator’s Guide to Preparing for GDPR.

Unintended Consequence No. 1: Targeting Organizations
Among the newfound rights that GDPR gives consumers is the right to seek an accounting of the data organizations have about them. The desired intention of this mandate is to promote transparency while empowering consumers with information about what is regarded as their data. “If it’s our data it belongs to us and companies…should have to gain our permission to use it in ways that we haven’t authorized,” Osterman commented. “The downside is I think there will be some unintended consequences of GDPR.” Depending on the nature and complexity of the request, organizations have a maximum of 90 days to respond. Osterman discussed scenarios in which individuals or grassroots organizations exploit this measure, issuing tens of thousands of requests simply to cause difficulty for socio-political purposes: “For companies that don’t have the systems in place, it can be prohibitively expensive to gather this information and you can target companies to do that.”

Dampening E-Commerce
There is also the potential for GDPR mandates to considerably slow the progress of e-commerce opportunities. E-commerce applications may be particularly sensitive to these regulations since, depending on how real-time they are, they may involve the movement of data such as credit card or geo-spatial information. According to Osterman, “GDPR may stifle e-commerce. It may be, for example, that marketing to European residents goes down because you don’t want to take the chance that maybe they haven’t opted into this particular communication.” In this respect the enormity of the penalties for non-compliance are interrelated with another prominent aspect of GDPR: data owners (consumers) must consent to how their data is used. Therefore, mass marketing campaigns and spam can have expensive repercussions for organizations that are deemed non-compliant in this respect. Osterman mentioned a similar situation involving Canada’s Anti-Spam Legislation in which organizations “can accidentally send an email to someone who shouldn’t have received it”, in which case it may be better simply to not market to Canadian residents.

Internet Restrictions
The degree of permissions GDPR requires may restrict website trafficking in other ways. For instance, simply accessing a company’s website may prove complicated for those who reside in the EU since potentially “they’re going to have to get permission every step of the way and it’s going to be very cumbersome,” Osterman said. The plurality of this difficulty should not go unnoted. Not only will companies have to decrease their website trafficking, which could possibly reduce their visibility, but potential customers in the EU will also have reduced opportunities to explore the web, shop, or learn about the offerings of different websites. Although such a situation represents the extreme end of the spectrum, it is a possibility nonetheless.

The Cost of Protection
The spirit of many of the stipulations of the GDPR is clear. It’s attempting to maintain the protection of data for their rightful owners, the people whose data organizations routinely capture and use for any variety of purposes. In doing so, this standard is calling for much greater accountability on the part of firms in possession of such sensitive data. According to Osterman, had such notable breaches as Target’s 2013 breach, eBay’s 2014 breach, and Equifax’s 2017 breach been subjected to GDPR mandates, those companies would have been assessed penalties exceeding $2.5 billion, $600 million, and $100 million, respectively.

“I think GDPR is a good thing in that it’s going to require companies to have very good data governance,” Osterman reflected. “I think it’s going to be painful getting there because you have to have the ability not only to archive data and understand where all of your data is, you have to be able to encrypt it. You have to have very good security.”

Keep Calm & Get Hired!

View from @AnalyticsWeek

Login

This page is having a slideshow that uses Javascript. Your browser either doesn't support Javascript or you have it turned off. To see this page as it is meant to appear please use a Javascript enabled browser.